Vulnerability assessment of machine images in development phase

ABSTRACT

In an embodiment, a software object development system generates a pre-release version of a machine image of a software object, and transmits information associated with the pre-release version of the software object to a vulnerability management system. The vulnerability management system performs a vulnerability scan for known vulnerabilities(s) on the information associated with the pre-release version of the machine image of the software object. The vulnerability management system determines scan result(s) based on the vulnerability scan, and transmits, to the software object development system, a report comprising the scan result(s).

TECHNICAL FIELD

The various aspects and embodiments described herein generally relate to vulnerability assessment.

BACKGROUND

Vulnerability management typically handles vulnerability assessment “after the fact”, meaning that assessment occurs after the potentially vulnerable system is already running on one or more end-points (or assets). This is especially true when pre-building machine instances for virtual environments (such as Amazon Web Services (AWS) Elastic Compute Cloud (EC2) Instances, or VMWare Virtual Machines). The machine image may be built, distributed, and deployed with vulnerabilities already present, with such machines being vulnerable to attack upon deployment.

SUMMARY

The following presents a simplified summary relating to one or more aspects disclosed herein. Thus, the following summary should not be considered an extensive overview relating to all contemplated aspects, nor should the following summary be considered to identify key or critical elements relating to all contemplated aspects or to delineate the scope associated with any particular aspect. Accordingly, the following summary has the sole purpose to present certain concepts relating to one or more aspects relating to the mechanisms disclosed herein in a simplified form to precede the detailed description presented below.

In an aspect, a method of operating a vulnerability management system includes receiving, from a software object development system, information associated with a pre-release version of a machine image of a software object; performing a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object; determining one or more scan results based on the vulnerability scan; and transmitting, to the software object development system, a report comprising the one or more scan results.

In an aspect, a method of operating a software object development system includes generating a pre-release version of a machine image of a software object; transmitting, to a vulnerability management system, information associated with the pre-release version of the machine image of the software object; and receiving, from the vulnerability management system, a report comprising one or more scan results associated with a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object.

In an aspect, a vulnerability management system includes a memory; and at least one processor communicatively coupled to the memory, the at least one processor configured to: receive, from a software object development system, information associated with a pre-release version of a machine image of a software object; perform a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object; determine one or more scan results based on the vulnerability scan; and transmit, to the software object development system, a report comprising the one or more scan results.

In an aspect, a software object development system includes a memory; and at least one processor communicatively coupled to the memory, the at least one processor configured to: generate a pre-release version of a machine image of a software object; transmit, to a vulnerability management system, information associated with the pre-release version of the machine image of the software object; and receive, from the vulnerability management system, a report comprising one or more scan results associated with a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object.

In an aspect, a non-transitory computer-readable medium storing computer-executable instructions that, when executed by a vulnerability management system, cause the vulnerability management system to: receive, from a software object development system, information associated with a pre-release version of a machine image of a software object; perform a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object; determine one or more scan results based on the vulnerability scan; and transmit, to the software object development system, a report comprising the one or more scan results.

In an aspect, a non-transitory computer-readable medium storing computer-executable instructions that, when executed by a software object development system, cause the software object development system to: generate a pre-release version of a machine image of a software object; transmit, to a vulnerability management system, information associated with the pre-release version of the machine image of the software object; and receive, from the vulnerability management system, a report comprising one or more scan results associated with a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object.

Other objects and advantages associated with the aspects disclosed herein will be apparent to those skilled in the art based on the accompanying drawings and detailed description.

BRIEF DESCRIPTION OF THE DRAWINGS

A more complete appreciation of the various aspects and embodiments described herein and many attendant advantages thereof will be readily obtained as the same becomes better understood by reference to the following detailed description when considered in connection with the accompanying drawings which are presented solely for illustration and not limitation, and in which:

FIG. 1 illustrates an exemplary network having various assets that can be managed using a vulnerability management system, according to various aspects.

FIG. 2 illustrates another exemplary network having various assets that can be managed using a vulnerability management system, according to various aspects.

FIG. 3 illustrates an exemplary server, according to various aspects.

FIG. 4 illustrates exemplary user equipments (UEs), according to various aspects.

FIG. 5 illustrates a vulnerability scanning process in accordance with embodiments of the disclosure.

FIG. 6 illustrates a software object development process in accordance with embodiments of the disclosure.

FIG. 7 illustrates an example implementation of the processes of FIGS. 5-6 in accordance with aspects of the disclosure.

DETAILED DESCRIPTION

Various aspects and embodiments are disclosed in the following description and related drawings to show specific examples relating to exemplary aspects and embodiments. Alternate aspects and embodiments will be apparent to those skilled in the pertinent art upon reading this disclosure, and may be constructed and practiced without departing from the scope or spirit of the disclosure. Additionally, well-known elements will not be described in detail or may be omitted so as to not obscure the relevant details of the aspects and embodiments disclosed herein.

The word “exemplary” is used herein to mean “serving as an example, instance, or illustration.” Any embodiment described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments. Likewise, the term “embodiments” does not require that all embodiments include the discussed feature, advantage, or mode of operation.

The terminology used herein describes particular embodiments only and should not be construed to limit any embodiments disclosed herein. As used herein, the singular forms “a,” “an,” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. Those skilled in the art will further understand that the terms “comprises,” “comprising,” “includes,” and/or “including,” as used herein, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

Further, various aspects and/or embodiments may be described in terms of sequences of actions to be performed by, for example, elements of a computing device. Those skilled in the art will recognize that various actions described herein can be performed by specific circuits (e.g., an application specific integrated circuit (ASIC)), by program instructions being executed by one or more processors, or by a combination of both. Additionally, these sequences of actions described herein can be considered to be embodied entirely within any form of non-transitory computer-readable medium having stored thereon a corresponding set of computer instructions that upon execution would cause an associated processor to perform the functionality described herein. Thus, the various aspects described herein may be embodied in a number of different forms, all of which have been contemplated to be within the scope of the claimed subject matter. In addition, for each of the aspects described herein, the corresponding form of any such aspects may be described herein as, for example, “logic configured to” and/or other structural components configured to perform the described action.

As used herein, the term “asset” and variants thereof may generally refer to any suitable uniquely defined electronic object that has been identified via one or more preferably unique but possibly non-unique identifiers or identification attributes (e.g., a universally unique identifier (UUID), a Media Access Control (MAC) address, a Network BIOS (NetBIOS) name, a Fully Qualified Domain Name (FQDN), an Internet Protocol (IP) address, a tag, a CPU ID, an instance ID, a Secure Shell (SSH) key, a user-specified identifier such as a registry setting, file content, information contained in a record imported from a configuration management database (CMDB), etc.). For example, the various aspects and embodiments described herein contemplate that an asset may be a physical electronic object such as, without limitation, a desktop computer, a laptop computer, a server, a storage device, a network device, a phone, a tablet, a wearable device, an Internet of Things (IoT) device, a set-top box or media player, etc. Furthermore, the various aspects and embodiments described herein contemplate that an asset may be a virtual electronic object such as, without limitation, a cloud instance, a virtual machine instance, a container, etc., a web application that can be addressed via a Uniform Resource Identifier (URI) or Uniform Resource Locator (URL), and/or any suitable combination thereof. Those skilled in the art will appreciate that the above-mentioned examples are not intended to be limiting but instead are intended to illustrate the ever-evolving types of resources that can be present in a modern computer network. As such, the various aspects and embodiments to be described in further detail below may include various techniques to manage network vulnerabilities according to an asset-based (rather than host-based) approach, whereby the various aspects and embodiments described herein contemplate that a particular asset can have multiple unique identifiers (e.g., a UUID and a MAC address) and that a particular asset can have multiples of a given unique identifier (e.g., a device with multiple network interface cards (NICs) may have multiple unique MAC addresses). Furthermore, as will be described in further detail below, the various aspects and embodiments described herein contemplate that a particular asset can have one or more dynamic identifiers that can change over time (e.g., an IP address) and that different assets may share a non-unique identifier (e.g., an IP address can be assigned to a first asset at a first time and assigned to a second asset at a second time). Accordingly, the identifiers or identification attributes used to define a given asset may vary with respect to uniqueness and the probability of multiple occurrences, which may be taken into consideration in reconciling the particular asset to which a given data item refers. Furthermore, in the elastic licensing model described herein, an asset may be counted as a single unit of measurement for licensing purposes.

According to various aspects, FIG. 1 illustrates an exemplary network 100 having various assets 130 that are interconnected via one or more network devices 140 and managed using a vulnerability management system 150. More particularly, as noted above, the assets 130 may include various types, including traditional assets (e.g., physical desktop computers, servers, storage devices, etc.), web applications that run self-supporting code, Internet of Things (IoT) devices (e.g., consumer appliances, conference room utilities, cars parked in office lots, physical security systems, etc.), mobile or bring-your-own-device (BYOD) resources (e.g., laptop computers, mobile phones, tablets, wearables, etc.), virtual objects (e.g., containers and/or virtual machine instances that are hosted within the network 100, cloud instances hosted in off-site server environments, etc.). Those skilled in the art will appreciate that the assets 130 listed above are intended to be exemplary only and that the assets 130 associated with the network 100 may include any suitable combination of the above-listed asset types and/or other suitable asset types. Furthermore, in various embodiments, the one or more network devices 140 may include wired and/or wireless access points, small cell base stations, network routers, hubs, spanned switch ports, network taps, choke points, and so on, wherein the network devices 140 may also be included among the assets 130 despite being labelled with a different reference numeral in FIG. 1 .

According to various aspects, the assets 130 that make up the network 100 (including the network devices 140 and any assets 130 such as cloud instances that are hosted in an off-site server environment or other remote network 160) may collectively form an attack surface that represents the sum total of resources through which the network 100 may be vulnerable to a cyberattack. As will be apparent to those skilled in the art, the diverse nature of the various assets 130 make the network 100 substantially dynamic and without clear boundaries, whereby the attack surface may expand and contract over time in an often unpredictable manner thanks to trends like BYOD and DevOps, thus creating security coverage gaps and leaving the network 100 vulnerable. For example, due at least in part to exposure to the interconnectedness of new types of assets 130 and abundant software changes and updates, traditional assets like physical desktop computers, servers, storage devices, and so on are more exposed to security vulnerabilities than ever before. Moreover, vulnerabilities have become more and more common in self-supported code like web applications as organizations seek new and innovative ways to improve operations. Although delivering custom applications to employees, customers, and partners can increase revenue, strengthen customer relationships, and improve efficiency, these custom applications may have flaws in the underlying code that could expose the network 100 to an attack. In other examples, IoT devices are growing in popularity and address modern needs for connectivity but can also add scale and complexity to the network 100, which may lead to security vulnerabilities as IoT devices are often designed without security in mind. Furthermore, trends like mobility, BYOD, etc. mean that more and more users and devices may have access to the network 100, whereby the idea of a static network with devices that can be tightly controlled is long gone. Further still, as organizations adopt DevOps practices to deliver applications and services faster, there is a shift in how software is built and short-lived asses like containers and virtual machine instances are used. While these types of virtual assets can help organizations increase agility, they also create significant new exposure for security teams. Even the traditional idea of a perimeter for the network 100 is outdated, as many organizations are connected to cloud instances that are hosted in off-site server environments, increasing the difficulty to accurately assess vulnerabilities, exposure, and overall risk from cyberattacks that are also becoming more sophisticated, more prevalent, and more likely to cause substantial damage.

Accordingly, to address the various security challenges that may arise due to the network 100 having an attack surface that is substantially elastic, dynamic, and without boundaries, the vulnerability management system 150 may include various components that are configured to help detect and remediate vulnerabilities in the network 100.

More particularly, the network 100 may include one or more active scanners 110 configured to communicate packets or other messages within the network 100 to detect new or changed information describing the various network devices 140 and other assets 130 in the network 100. For example, in one implementation, the active scanners 110 may perform credentialed audits or uncredentialed scans to scan certain assets 130 in the network 100 and obtain information that may then be analyzed to identify potential vulnerabilities in the network 100. More particularly, in one implementation, the credentialed audits may include the active scanners 110 using suitable authentication technologies to log into and obtain local access to the assets 130 in the network 100 and perform any suitable operation that a local user could perform thereon without necessarily requiring a local agent. Alternatively and/or additionally, the active scanners 110 may include one or more agents (e.g., lightweight programs) locally installed on a suitable asset 130 and given sufficient privileges to collect vulnerability, compliance, and system data to be reported back to the vulnerability management system 150. As such, the credentialed audits performed with the active scanners 110 may generally be used to obtain highly accurate host-based data that includes various client-side issues (e.g., missing patches, operating system settings, locally running services, etc.). On the other hand, the uncredentialed audits may generally include network-based scans that involve communicating packets or messages to the appropriate asset(s) 130 and observing responses thereto in order to identify certain vulnerabilities (e.g., that a particular asset 130 accepts spoofed packets that may expose a vulnerability that can be exploited to close established connections). Furthermore, as shown in FIG. 1 , one or more cloud scanners 170 may be configured to perform a substantially similar function as the active scanners 110, except that the cloud scanners 170 may also have the ability to scan assets 130 like cloud instances that are hosted in a remote network 160 (e.g., an off-site server environment or other suitable cloud infrastructure).

Additionally, in various implementations, one or more passive scanners 120 may be deployed within the network 100 to observe or otherwise listen to traffic in the network 100, to identify further potential vulnerabilities in the network 100, and to detect activity that may be targeting or otherwise attempting to exploit previously identified vulnerabilities. In one implementation, as noted above, the active scanners 110 may obtain local access to one or more of the assets 130 in the network 100 (e.g., in a credentialed audit) and/or communicate various packets or other messages within the network 100 to illicit responses from one or more of the assets 130 (e.g., in an uncredentialed scan). In contrast, the passive scanners 120 may generally observe (or “sniff”) various packets or other messages in the traffic traversing the network 100 to passively scan the network 100. In particular, the passive scanners 120 may reconstruct one or more sessions in the network 100 from information contained in the sniffed traffic, wherein the reconstructed sessions may then be used in combination with the information obtained with the active scanners 110 to build a model or topology describing the network 100. For example, in one implementation, the model or topology built from the information obtained with the active scanners 110 and the passive scanners 120 may describe any network devices 140 and/or other assets 130 that are detected or actively running in the network 100, any services or client-side software actively running or supported on the network devices 140 and/or other assets 130, and trust relationships associated with the various network devices 140 and/or other assets 130, among other things. In one implementation, the passive scanners 120 may further apply various signatures to the information in the observed traffic to identify vulnerabilities in the network 100 and determine whether any data in the observed traffic potentially targets such vulnerabilities. In one implementation, the passive scanners 120 may observe the network traffic continuously, at periodic intervals, on a pre-configured schedule, or in response to determining that certain criteria or conditions have been satisfied. The passive scanners 120 may then automatically reconstruct the network sessions, build or update the network model, identify the network vulnerabilities, and detect the traffic potentially targeting the network vulnerabilities in response to new or changed information in the network 100.

In one implementation, as noted above, the passive scanners 120 may generally observe the traffic traveling across the network 100 to reconstruct one or more sessions occurring in the network 100, which may then be analyzed to identify potential vulnerabilities in the network 100 and/or activity targeting the identified vulnerabilities, including one or more of the reconstructed sessions that have interactive or encrypted characteristics (e.g., due to the sessions including packets that had certain sizes, frequencies, randomness, or other qualities that may indicate potential backdoors, covert channels, or other vulnerabilities in the network 100). Accordingly, the passive scanners 120 may monitor the network 100 in substantially real-time to detect any potential vulnerabilities in the network 100 in response to identifying interactive or encrypted sessions in the packet stream (e.g., interactive sessions may typically include activity occurring through keyboard inputs, while encrypted sessions may cause communications to appear random, which can obscure activity that installs backdoors or rootkit applications). Furthermore, in one implementation, the passive scanners 120 may identify changes in the network 100 from the encrypted and interactive sessions (e.g., an asset 130 corresponding to a new e-commerce server may be identified in response to the passive scanners 120 observing an encrypted and/or interactive session between a certain host located in the remote network 160 and a certain port that processes electronic transactions). In one implementation, the passive scanners 120 may observe as many sessions in the network 100 as possible to provide optimal visibility into the network 100 and the activity that occurs therein. For example, in one implementation, the passive scanners 120 may be deployed at any suitable location that enables the passive scanners 120 to observe traffic going into and/or out of one or more of the network devices 140. In one implementation, the passive scanners 120 may be deployed on any suitable asset 130 in the network 100 that runs a suitable operating system (e.g., a server, host, or other device that runs Red Hat Linux or FreeBSD open source operating system, a UNIX, Windows, or Mac OS X operating system, etc.).

Furthermore, in one implementation, the various assets and vulnerabilities in the network 100 may be managed using the vulnerability management system 150, which may provide a unified security monitoring solution to manage the vulnerabilities and the various assets 130 that make up the network 100. In particular, the vulnerability management system 150 may aggregate the information obtained from the active scanners 110 and the passive scanners 120 to build or update the model or topology associated with the network 100, which may generally include real-time information describing various vulnerabilities, applied or missing patches, intrusion events, anomalies, event logs, file integrity audits, configuration audits, or any other information that may be relevant to managing the vulnerabilities and assets in the network 100. As such, the vulnerability management system 150 may provide a unified interface to mitigate and manage governance, risk, and compliance in the network 100.

According to various aspects, FIG. 2 illustrates another exemplary network 200 with various assets 230 that can be managed using a vulnerability management system 250. In particular, the network 200 shown in FIG. 2 may have various components and perform substantially similar functionality as described above with respect to the network 100 shown in FIG. 1 . For example, in one implementation, the network 200 may include one or more active scanners 210 and/or cloud scanners 270, which may interrogate assets 230 in the network 200 to build a model or topology of the network 200 and identify various vulnerabilities in the network 200, one or more passive scanners 220 that can passively observe traffic in the network 200 to further build the model or topology of the network 200, identify further vulnerabilities in the network 200, and detect activity that may potentially target or otherwise exploit the vulnerabilities. Additionally, in one implementation, a log correlation engine 290 may be arranged to receive logs containing events from various sources distributed across the network 200. For example, in one implementation, the logs received at the log correlation engine 290 may be generated by internal firewalls 280, external firewalls 284, network devices 240, assets 230, operating systems, applications, or any other suitable resource in the network 200. Accordingly, in one implementation, the information obtained from the active scanners 210, the cloud scanners 270, the passive scanners 220, and the log correlation engine 290 may be provided to the vulnerability management system 250 to generate or update a comprehensive model associated with the network 200 (e.g., topologies, vulnerabilities, assets, etc.).

In one implementation, the active scanners 210 may be strategically distributed in locations across the network 200 to reduce stress on the network 200. For example, the active scanners 210 may be distributed at different locations in the network 200 in order to scan certain portions of the network 200 in parallel, whereby an amount of time to perform the active scans may be reduced. Furthermore, in one implementation, one or more of the active scanners 210 may be distributed at a location that provides visibility into portions of a remote network 260 and/or offloads scanning functionality from the managed network 200. For example, as shown in FIG. 2 , one or more cloud scanners 270 may be distributed at a location in communication with the remote network 260, wherein the term “remote network” as used herein may refer to the Internet, a partner network, a wide area network, a cloud infrastructure, and/or any other suitable external network. As such, the terms “remote network,” “external network,” “partner network,” and “Internet” may all be used interchangeably to suitably refer to one or more networks other than the networks 100, 200 that are managed using the vulnerability management systems 150, 250, while references to “the network” and/or “the internal network” may generally refer to the areas that the systems and methods described herein may be used to protect or otherwise manage. Accordingly, in one implementation, limiting the portions in the managed network 200 and/or the remote network 260 that the active scanners 210 are configured to interrogate, probe, or otherwise scan and having the active scanners 210 perform the scans in parallel may reduce the amount of time that the active scans consume because the active scanners 210 can be distributed closer to scanning targets. In particular, because the active scanners 210 may scan limited portions of the network 200 and/or offload scanning responsibility to the cloud scanners 270, and because the parallel active scans may obtain information from the different portions of the network 200, the overall amount of time that the active scans consume may substantially correspond to the amount of time associated with one active scan.

As such, in one implementation, the active scanners 210 and/or cloud scanners 270 may generally scan the respective portions of the network 200 to obtain information describing vulnerabilities and assets in the respective portions of the network 200. In particular, the active scanners 210 and/or cloud scanners 270 may perform the credentialed and/or uncredentialed scans in the network in a scheduled or distributed manner to perform patch audits, web application tests, operating system configuration audits, database configuration audits, sensitive file or content searches, or other active probes to obtain information describing the network. For example, the active scanners 210 and/or cloud scanners 270 may conduct the active probes to obtain a snapshot that describes assets actively running in the network 200 at a particular point in time (e.g., actively running network devices 240, internal firewalls 280, external firewalls 284, and/or other assets 230). In various embodiments, the snapshot may further include any exposures that the actively running assets to vulnerabilities identified in the network 200 (e.g., sensitive data that the assets contain, intrusion events, anomalies, or access control violations associated with the assets, etc.), configurations for the actively running assets (e.g., operating systems that the assets run, whether passwords for users associated with the assets comply with certain policies, whether assets that contain sensitive data such as credit card information comply with the policies and/or industry best practices, etc.), or any other information suitably describing vulnerabilities and assets actively detected in the network 200. In one implementation, in response to obtaining the snapshot of the network 200, the active scanners 210 and/or cloud scanners 270 may then report the information describing the snapshot to the vulnerability management system 250, which may use the information provided by the active scanners 210 to remediate and otherwise manage the vulnerabilities and assets in the network.

Furthermore, in one implementation, the passive scanners 220 may be distributed at various locations in the network 200 to monitor traffic traveling across the network 200, traffic originating within the network 200 and directed to the remote network 260, and traffic originating from the remote network 260 and directed to the network 200, thereby supplementing the information obtained with the active scanners 210. For example, in one implementation, the passive scanners 220 may monitor the traffic traveling across the network 200 and the traffic originating from and/or directed to the remote network 260 to identify vulnerabilities, assets, or information that the active scanners 210 may be unable to obtain because the traffic may be associated with previously inactive assets that later participate in sessions on the network. Additionally, in one implementation, the passive scanners 220 may be deployed directly within or adjacent to an intrusion detection system sensor 215, which may provide the passive scanners 220 with visibility relating to intrusion events or other security exceptions that the intrusion detection system (IDS) sensor 215 identifies. In one implementation, the IDS may be an open source network intrusion prevention and detection system (e.g., Snort), a packet analyzer, or any other system that having a suitable IDS sensor 215 that can detect and prevent intrusion or other security events in the network 200.

Accordingly, in various embodiments, the passive scanners 220 may sniff one or more packets or other messages in the traffic traveling across, originating from, or directed to the network 200 to identify new network devices 240, internal firewalls 280, external firewalls 284, or other assets 230 in addition to open ports, client/server applications, any vulnerabilities, or other activity associated therewith. In addition, the passive scanners 220 may further monitor the packets in the traffic to obtain information describing activity associated with web sessions, Domain Name System (DNS) sessions, Server Message Block (SMB) sessions, File Transfer Protocol (FTP) sessions, Network File System (NFS) sessions, file access events, file sharing events, or other suitable activity that occurs in the network 200. In one implementation, the information that the passive scanners 220 obtains from sniffing the traffic traveling across, originating from, or directed to the network 200 may therefore provide a real-time record describing the activity that occurs in the network 200. Accordingly, in one implementation, the passive scanners 220 may behave like a security motion detector on the network 200, mapping and monitoring any vulnerabilities, assets, services, applications, sensitive data, and other information that newly appear or change in the network 200. The passive scanners 220 may then report the information obtained from the traffic monitored in the network to the vulnerability management system 250, which may use the information provided by the passive scanners 220 in combination with the information provided from the active scanners 210 to remediate and otherwise manage the network 200.

In one implementation, as noted above, the network 200 shown in FIG. 2 may further include a log correlation engine 290, which may receive logs containing one or more events from various sources distributed across the network 200 (e.g., logs describing activities that occur in the network 200, such as operating system events, file modification events, USB device insertion events, etc.). In particular, the logs received at the log correlation engine 290 may include events generated by one or more of the internal firewalls 280, external firewalls 284, network devices 240, and/or other assets 230 in the network 200 in addition to events generated by one or more operating systems, applications, and/or other suitable sources in the network 200. In one implementation, the log correlation engine 290 may normalize the events contained in the various logs received from the sources distributed across the network 200, and in one implementation, may further aggregate the normalized events with information describing the snapshot of the network 200 obtained by the active scanners 210 and/or the network traffic observed by the passive scanners 220. Accordingly, in one implementation, the log correlation engine 290 may analyze and correlate the events contained in the logs, the information describing the observed network traffic, and/or the information describing the snapshot of the network 200 to automatically detect statistical anomalies, correlate intrusion events or other events with the vulnerabilities and assets in the network 200, search the correlated event data for information meeting certain criteria, or otherwise manage vulnerabilities and assets in the network 200.

Furthermore, in one implementation, the log correlation engine 290 may filter the events contained in the logs, the information describing the observed network traffic, and/or the information describing the snapshot of the network 200 to limit the information that the log correlation engine 290 normalizes, analyzes, and correlates to information relevant to a certain security posture (e.g., rather than processing thousands or millions of events generated across the network 200, which could take a substantial amount of time, the log correlation engine 290 may identify subsets of the events that relate to particular intrusion events, attacker network addresses, assets having vulnerabilities that the intrusion events and/or the attacker network addresses target, etc.). Alternatively (or additionally), the log correlation engine 290 may persistently save the events contained in all of the logs to comply with regulatory requirements providing that all logs must be stored for a certain period of time (e.g., saving the events in all of the logs to comply with the regulatory requirements while only normalizing, analyzing, and correlating the events in a subset of the logs that relate to a certain security posture). As such, the log correlation engine 290 may aggregate, normalize, analyze, and correlate information received in various event logs, snapshots obtained by the active scanners 210 and/or cloud scanners 270, and/or the activity observed by the passive scanners 220 to comprehensively monitor, remediate, and otherwise manage the vulnerabilities and assets in the network 200. Additionally, in one implementation, the log correlation engine 290 may be configured to report information relating to the information received and analyzed therein to the vulnerability management system 250, which may use the information provided by the log correlation engine 290 in combination with the information provided by the passive scanners 220, the active scanners 210, and the cloud scanners 270 to remediate or manage the network 200.

Accordingly, in various embodiments, the active scanners 210 and/or cloud scanners 270 may interrogate any suitable asset 230 in the network 200 to obtain information describing a snapshot of the network 200 at any particular point in time, the passive scanners 220 may continuously or periodically observe traffic traveling in the network 200 to identify vulnerabilities, assets, or other information that further describes the network 200, and the log correlation engine 290 may collect additional information to further identify the vulnerabilities, assets, or other information describing the network 200. The vulnerability management system 250 may therefore provide a unified solution that aggregates vulnerability and asset information obtained by the active scanners 210, the cloud scanners 270, the passive scanners 220, and the log correlation engine 290 to comprehensively manage the network 200.

Security auditing applications typically display security issues (such as vulnerabilities, security misconfigurations, weaknesses, etc.) paired with a particular solution for that given issue. Certain security issues may share a given solution, or have solutions which are superseded or otherwise rendered unnecessary by other reported solutions. Embodiments of the disclosure relate to improving an efficiency by which security issues are reported, managed and/or rectified based on solution supersedence.

In accordance with a first embodiment, when working with security reporting datasets with sparse metadata available, the reported solutions for each security issue are combined, and various “rulesets” are applied against the combined solutions to de-duplicate them and remove solutions that have been superseded by other solutions. As used herein, a ruleset is a set of rules that govern when a solution is to be removed or merged with another and how that merge is to be accomplished. In an example, when solution texts not matching a given ruleset are discovered they are flagged for manual review. Examples of rules that may be included in one or more rulesets are as follows:

-   -   If there is more than one matching solution in the solution         list, remove all but one of those solutions.     -   For solutions matching “Upgrade to <product> x.y.z” where x, y,         and z are integers, select a single result with the highest         x.y.z value (comparing against x first, then y, then z).     -   For solutions matching “Apply fix <fix> to <product>”, create a         new combined solution where <fix> for each solution is         concatenated into a comma separated list for a given <product>.

In accordance with a second embodiment, when working with datasets with metadata available that have an identifier that allows grouping of solutions based on product (e.g., common product enumeration (CPE)) and timestamp information on when a fix has become available, the solutions for each group can be filtered with only display the latest “top level” solution for each group being displayed. In an example, the first and second embodiments can be implemented in conjunction with each other to produce a further refined solution set.

As used herein, a “plug-in” contains logic and metadata for an individual security check in a security auditing application. A plugin may check for one or more mitigations/fixes and flag one or more individual security issues. CPE is a standardized protocol of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets. CPE identifiers contain asset type information (OS/Hardware/Application), vendor, product, and can even contain version information. An example CPE string is “cpe:/o:microsoft:windows_vista:6.0:sp1”, where “/o” stands for operating system, Microsoft is the vendor, windows_vista is the product, major version is 6.0, and minor version is SPl. Further, a common vulnerabilities and exposures (CVE) identifier is an identifier from a national database maintained by NIST/Mitre which keeps a list of known vulnerabilities and exposures. An example identifier would be “CVE-2014-6271” which corresponds to the “ShellShock” vulnerability in the database.

In accordance with one implementation of the second embodiment, solutions (or solution ‘texts’) may first be grouped together based on the CPEs in the plugins they were reported in. The solutions are then sorted by the patch publication date from the plugins which they were sourced from. Solutions containing text that matches a pattern that indicates that the solution is likely a patch recommendation can all be removed from the group except the solution associated with the most recent patch. In this manner, patches with identifiers that cannot be easily sorted (e.g., patches with non-numerical identifiers) and/or for which no ruleset pertains in accordance with the first embodiment can be filtered out from the solution set. In some implementations, additional ruleset-based filtering from the first embodiment can also be applied, to filter out (or de-duplicate) additional duplicate solution information.

In accordance with a third embodiment, a security auditing application may evaluate further metadata in the solution report results that is added based upon asset-specific information (e.g., such as individual patches installed, which mitigations and patches are missing, what individual software installations are installed, patch supersedence information, the relationship between the mitigations/patches and security issues, etc.).

The various embodiments may be implemented on any of a variety of commercially available server devices, such as server 300 illustrated in FIG. 3 . In an example, the server 300 may correspond to one example configuration of a server on which a security auditing application may execute, which in certain implementations may be included as part of the vulnerability management system 150 of FIG. 1 or the vulnerability management system 250 of FIG. 2 . In FIG. 3 , the server 300 includes a processor 301 coupled to volatile memory 302 and a large capacity nonvolatile memory, such as a disk drive 303. The server 300 may also include a floppy disc drive, compact disc (CD) or DVD disc drive 306 coupled to the processor 301. The server 300 may also include network access ports 304 coupled to the processor 301 for establishing data connections with a network 307, such as a local area network coupled to other broadcast system computers and servers or to the Internet.

FIG. 4 illustrates examples of user equipments (UEs) in accordance with embodiments of the invention. In an aspect, one or more of the UEs depicted in FIG. 4 may be used as a software object development system (e.g., for generation of software object development system, etc.). In other aspects, one or more of the UEs depicted in FIG. 4 may be used to log into a server such as the server 300 of FIG. 3 , in which case the server 300, the respective UE, or a combination thereof may correspond to the software object development system.

Referring to FIG. 4 , UE 400 includes one or more processors 405 (e.g., one or more ASICs, one or more digital signal processors (DSPs), etc.) and a memory 410 (e.g., RAM, ROM, EEPROM, flash cards, or any memory common to computer platforms). The UE 400 also optionally includes one or more UI input components 415 (e.g., a keyboard and mouse, a touchscreen, a microphone, one or more buttons such as volume or power buttons, etc.) and one or more UI output components 420 (e.g., speakers, a display screen, a vibration device for vibrating the UE 400, etc.). In an example, the UI input components 415 and UI output components 420 are optional because the UE 400 need not interface with a local user in all implementations.

The UE 400 further includes a wired communications interface 425 and a wireless communications interface 430. In an example, the wired communications interface 425 may be optional (e.g., UE 400 may be configured for wireless communication only). In an example embodiment, if made part of the UE 400, the wired communications interface 425 can be used to support wired local connections to peripheral devices (e.g., a USB connection, a mini USB or lightning connection, a headphone jack, graphics ports such as serial, VGA, HDMI, DVI or DisplayPort, audio ports, and so on) and/or to a wired access network (e.g., via an Ethernet cable or another type of cable that can function as a bridge to the wired access network such as HDMI v1.4 or higher, etc.). In another example embodiment, the wireless communications interface 430 includes one or more wireless transceivers for communication in accordance with a local wireless communications protocol (e.g., WLAN or WiFi, WiFi Direct, Bluetooth, etc.) and/or one or more wireless transceivers for communication with a cellular RAN (e.g., via CDMA, W-CDMA, time division multiple access (TDMA), frequency division multiple access (FDMA), Orthogonal Frequency Division Multiplexing (OFDM), GSM, LTE, 4G, 5G LTE, 5G NR or other protocols that may be used in a terrestrial wireless communication subscriber network). The various components 405-430 of the UE 400 can communicate with each other via a bus 435.

Referring to FIG. 4 , UE 400A is illustrated as a laptop computer, UE 400C, UE 400B is illustrated as a touchscreen device (e.g., a smart phone, a tablet computer, etc.) and UE 400C is illustrated as a desktop computer.

As shown in FIG. 4 , UE 400A includes a display screen 405A and an integrated keyboard 410A. An external casing of UE 400B is configured with a touchscreen display 405B, peripheral buttons 410B, 415B, 420B and 425B (e.g., a power control button, a volume or vibrate control button, an airplane mode toggle button, etc.), at least one front-panel button 430B (e.g., a Home button, etc.), among other components, as is known in the art. While not shown explicitly as part of UE 400B, the UE 400B can include one or more external antennas and/or one or more integrated antennas that are built into the external casing of UE 400B, including but not limited to WiFi antennas, cellular antennas, satellite position system (SPS) antennas (e.g., global positioning system (GPS) antennas), and so on. UE 400C includes a display screen 405C and an external keyboard 410C.

While internal components of UEs such as the UEs 400A-400C can be embodied with different hardware configurations, a basic high-level UE configuration for internal hardware components is shown as platform 402 in FIG. 4 .

Vulnerability management is typically handling vulnerability assessment “after the fact”, meaning that assessment occurs after the potentially vulnerable system is already running on one or more end-points (or assets). This is especially true when pre-building machine instances or Linux containers (e.g., docker containers) for virtual environments (such as Amazon Web Services (AWS) Elastic Compute Cloud (EC2) Instances, or VMWare Virtual Machines). The machine image may be built, distributed, and deployed with vulnerabilities already present, with such machines being vulnerable to attack upon deployment.

Aspects of the disclosure are thereby directed to performing a vulnerability scan on a pre-release version of a machine image of a software object. Such aspects may provide various technical advantages, such as reducing or eliminating the possibility of the software object being deployed with any known vulnerabilities.

FIG. 5 illustrates a vulnerability scanning process 500 in accordance with embodiments of the disclosure. The vulnerability scanning process 500 of FIG. 5 may be performed by a vulnerability management system, such as vulnerability management system 150 or 250 (e.g., which may be implemented via a server such as server 300).

Referring to FIG. 5 , at 510, the vulnerability management system receives, from a software object development system, information associated with a pre-release version of a machine image of a software object. In an example, the information associated with the pre-release version of the machine image of the software object that is received at the vulnerability management system may include inventory information that is collected from a post-build, pre-publish (or pre-release) version of the software object (e.g., a set of installed software, configuration information, or a combination thereof). As used herein, the “pre-release version” of the machine image of the software object means that the software object is in a development phase whereby the software object may be deployed on various test machines for development purposes but has not been released to the public for deployment on machines outside of a test environment.

Referring to FIG. 5 , at 520, the vulnerability management system performs a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object

Referring to FIG. 5 , at 530, the vulnerability management system determines one or more scan results based on the vulnerability scan.

Referring to FIG. 5 , at 540, the vulnerability management system transmits, to the software object development system, a report comprising the one or more scan results.

FIG. 6 illustrates a software object development process 600 in accordance with embodiments of the disclosure. The software object development process 600 of FIG. 6 may be performed by a software object development system (e.g., which may be implemented via server 300 and/or UE 400).

Referring to FIG. 6 , at 610, the software object development system generates a pre-release version of a machine image of a software object. For example, the pre-release version of the machine image of the software object may be generated via a variety of well-known development toolkits, such as Packet, Ansible, Vagrant, and so on.

Referring to FIG. 6 , at 620, the software object development system transmits, to a vulnerability management system, information associated with the pre-release version of the machine image of the software object. In an example, the information associated with the pre-release version of the machine image of the software object that is transmitted to the vulnerability management system may include inventory information that is collected from a post-build, pre-publish (or pre-release) version of the software object (e.g., a set of installed software, configuration information, or a combination thereof).

Referring to FIG. 6 , at 630, the software object development system receives, from the vulnerability management system, a report comprising one or more scan results associated with a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object.

Referring to FIGS. 5-6 , in an aspect, the pre-release version of the machine image of the software object corresponds to a build for use in a virtualized environment. For example, the virtualized environment may be Infrastructure as a Service (IaaS) or Amazon Web Services (AWS).

Referring to FIGS. 5-6 , in an aspect, the pre-release version of the machine image of the software object comprises a set of installed software, configuration information, or a combination thereof.

Referring to FIGS. 5-6 , in an aspect, the vulnerability management system may calculate a vulnerability risk score associated with the vulnerability scan. Calculation of such vulnerability risk scores is generally well-known in the art, but typically are applied to released versions of software objects, rather than a pre-release version of a machine image of a software object. The report from the vulnerability management system to the software object development system may indicate whether the vulnerability risk score is below a threshold, or the report may indicate the vulnerability risk score (e.g., so that the software object development system may compare the vulnerability risk score with the threshold), or the report may indicate whether the pre-release version of the machine image of the software object passes or fails a vulnerability test based on the vulnerability risk score (e.g., in this case, the vulnerability risk score itself need not be conveyed to the software object development system).

Referring to FIGS. 5-6 , the software object development system may determine whether the pre-release version of the machine image of the software object passes or fails a vulnerability test based on the one or more scan results. If the pre-release version of the machine image of the software object passes the vulnerability test, the software object development system may release the pre-release version of the machine image of the software object. In an aspect, the pass or fail determination may be based (directly or indirectly) on a vulnerability risk score associated with the pre-release version of the machine image of the software object.

Referring to FIGS. 5-6 , in an aspect, the pre-release vulnerability scanning technique may be implemented with respect to any build-time tooling or process for producing machine images. In a further aspect, the pre-release vulnerability scanning technique may also be implemented for other types of assessment beyond vulnerability scanning (e.g., compliance, malware scanning, etc.). In this case, the report may further include scan results indicative of a compliance score and/or a malware score that may also be factored into the pass/fail decision at the software object development system. In a further aspect, the pre-release vulnerability scanning technique may be implemented for any type of assessment tool that allows for either just-in-time scanning either locally or in part with a hosted service.

FIG. 7 illustrates an example implementation 700 of the processes 600-700 of FIGS. 6-7 , respectively, in accordance with aspects of the disclosure. In FIG. 7 , a software object development system 710 includes a builder module 712, an inventory collection module 714, and a decision module 716, and a vulnerability management system 720 includes a management module 722 and an inventory scanner module 724. The various modules described with respect to FIG. 7 may be deployed as discrete hardware components, logical modules, software, or any combination thereof. The example of FIG. 7 is described specifically to an Amazon Machine Image (AMI) in AWS. In an aspect, because Packer (and all AWS AMI build processes) require a running instance, inventory collection at some stage in the assembly (or development) process. By way of example, Packer provides a plugin framework in its implementation that can be used to extend the various aspects of machine image building, namely:

-   -   Builders—provides a mechanism for actually assembling the type         of output artifact,     -   Data Sources—provides information that can be used in build         configuration,     -   Provisioners—provides execution of provisioning in the running         “instance”, where the artifact is being built, and     -   Post-processors—provides functionality that occurs post-build,         such as pushing an AMI to amazon.

In an aspect, the process 700 of FIG. 7 may utilize a Packer plugin that provides an implementation of the Provisioner interface, so inventory collection can be executed on the running image.

Referring to FIG. 7 , at 730, the builder module 712 assembles an AMI (e.g., via an AMI assembly tool such as Packer). At 732, the builder module 712 invokes inventory collection post-assembly of the AMI via the inventory collection module 714. For example, the inventory collection module 714 may be a proprietary image analyzer that is capable of extracting information to determine system state of an AMI. At 734, the inventory collection module 714 submits inventory for analysis to the management module 722. At 736, the management module 736 sends the inventory to the inventory scanner module 724. At 738, the inventory scanner module 724 performs the vulnerability assessment (scan) on the inventory. At 740, result(s) of the vulnerability assessment (scan) are sent to the management module 722.

Referring to FIG. 7 , at 742, the builder module 712 invokes the decision module 716 (i.e., to request that the decision module 716 receive/interpret the results of the vulnerability assessment or scan on the inventory). At 744, the decision module 716 polls the management module 722 for result(s) of the vulnerability assessment (scan). At 746, a current state of assessment of the scanned inventory is sent back to the decision module 716. At 748, the decision module 716 evaluates the scan result(s). In some designs, the decision module 716 may autonomously make a simple pass/file decision at 748. In other designs, a more in-depth analysis may be performed which involves coordination with the builder module 712. For example, the scan result(s) may be analyzed against a policy, which may be retrieved from the builder module 712 during the evaluation at 748 in an example. The decision module 716 may then reach a pass/fail decision based on the scan result(s) as a function of the policy. At 750, the decision module 716 provides a pass/fail decision for the AMI to the builder module 712. If the pass/fail decision at 750 is that the build has failed, then the build is failed at 752 (e.g., developer must address the vulnerabilities in the build before it is released). If the pass/fail decision at 750 is that the build has passed, then the build is passed at 754 and the AMI may publish.

While not expressly illustrated in FIG. 7 , in some designs, the Packer plugin at the builder module 712 may further be configured to perform one or more of the following:

-   -   Implement a post-processor interface, which queries the platform         to get the result of the initial inventory scan to determine if         the image is vulnerable and should be failed, and/or     -   Implement a post-processor interface, which can properly         identify the previously submitted inventory with the AMI-ID of         the image, should the build succeed and the AMI be published for         use (e.g., live scanning would then be performed on this image         asset until it was deleted or aged out).

In some designs, the processes of FIGS. 5-7 may be used for the tracking of future vulnerabilities for known images that passed assessment at build-time, but later drifted to be vulnerable as new vulnerabilities for those locked images are discovered.

In the detailed description above it can be seen that different features are grouped together in examples. This manner of disclosure should not be understood as an intention that the example clauses have more features than are explicitly mentioned in each clause. Rather, the various aspects of the disclosure may include fewer than all features of an individual example clause disclosed. Therefore, the following clauses should hereby be deemed to be incorporated in the description, wherein each clause by itself can stand as a separate example. Although each dependent clause can refer in the clauses to a specific combination with one of the other clauses, the aspect(s) of that dependent clause are not limited to the specific combination. It will be appreciated that other example clauses can also include a combination of the dependent clause aspect(s) with the subject matter of any other dependent clause or independent clause or a combination of any feature with other dependent and independent clauses. The various aspects disclosed herein expressly include these combinations, unless it is explicitly expressed or can be readily inferred that a specific combination is not intended (e.g., contradictory aspects, such as defining an element as both an electrical insulator and an electrical conductor). Furthermore, it is also intended that aspects of a clause can be included in any other independent clause, even if the clause is not directly dependent on the independent clause.

Implementation examples are described in the following numbered clauses:

Clause 1. A method of operating a vulnerability management system, comprising: receiving, from a software object development system, information associated with a pre-release version of a machine image of a software object; performing a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object; determining one or more scan results based on the vulnerability scan; and transmitting, to the software object development system, a report comprising the one or more scan results.

Clause 2. The method of clause 1, wherein the pre-release version of the machine image of the software object corresponds to a build for use in a virtualized environment.

Clause 3. The method of clause 2, wherein the virtualized environment is Infrastructure as a Service (IaaS).

Clause 4. The method of any of clauses 2 to 3, wherein the virtualized environment is Amazon Web Services (AWS).

Clause 5. The method of any of clauses 1 to 4, the pre-release version of the machine image of the software object comprises a set of installed software, configuration information, or a combination thereof.

Clause 6. The method of any of clauses 1 to 5, wherein the determining comprises: calculating a vulnerability risk score associated with the vulnerability scan.

Clause 7. The method of clause 6, wherein the report indicates whether the vulnerability risk score is below a threshold, or wherein the report indicates the vulnerability risk score, or wherein the report indicates whether the pre-release version of the machine image of the software object passes or fails a vulnerability test based on the vulnerability risk score.

Clause 8. A method of operating a software object development system, comprising: generating a pre-release version of a machine image of a software object; transmitting, to a vulnerability management system, information associated with the pre-release version of the machine image of the software object; and receiving, from the vulnerability management system, a report comprising one or more scan results associated with a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object.

Clause 9. The method of clause 8, further comprising: determining whether the pre-release version of the machine image of the software object passes or fails a vulnerability test based on the one or more scan results.

Clause 10. The method of clause 9, further comprising: releasing the pre-release version of the machine image of the software object if the pass or fail determination determines that the pre-release version of the machine image of the software object passes the vulnerability test.

Clause 11. The method of any of clauses 9 to 10, wherein the pass or fail determination is based on a vulnerability risk score associated with the pre-release version of the machine image of the software object.

Clause 12. The method of clause 11, wherein the report indicates whether the vulnerability risk score is below a threshold, or wherein the report indicates the vulnerability risk score, or wherein the report indicates whether the pre-release version of the machine image of the software object passes or fails the vulnerability test.

Clause 13. The method of any of clauses 8 to 12, wherein the pre-release version of the machine image of the software object corresponds to a build for use in a virtualized environment.

Clause 14. The method of clause 13, wherein the virtualized environment is Infrastructure as a Service (IaaS).

Clause 15. The method of any of clauses 13 to 14, wherein the virtualized environment is Amazon Web Services (AWS).

Clause 16. The method of any of clauses 8 to 15, the pre-release version of the machine image of the software object comprises a set of installed software, configuration information, or a combination thereof.

Clause 17. A vulnerability management system, comprising: a memory; and at least one processor communicatively coupled to the memory, the at least one processor configured to: receive, from a software object development system, information associated with a pre-release version of a machine image of a software object; perform a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object; determine one or more scan results based on the vulnerability scan; and transmit, to the software object development system, a report comprising the one or more scan results.

Clause 18. The vulnerability management system of clause 17, wherein the pre-release version of the machine image of the software object corresponds to a build for use in a virtualized environment.

Clause 19. The vulnerability management system of clause 18, wherein the virtualized environment is Infrastructure as a Service (IaaS).

Clause 20. The vulnerability management system of any of clauses 18 to 19, wherein the virtualized environment is Amazon Web Services (AWS).

Clause 21. The vulnerability management system of any of clauses 17 to 20, the pre-release version of the machine image of the software object comprises a set of installed software, configuration information, or a combination thereof.

Clause 22. The vulnerability management system of any of clauses 17 to 21, wherein the determination comprises: calculation of a vulnerability risk score associated with the vulnerability scan.

Clause 23. The vulnerability management system of clause 22, wherein the report indicates whether the vulnerability risk score is below a threshold, or wherein the report indicates the vulnerability risk score, or wherein the report indicates whether the pre-release version of the machine image of the software object passes or fails a vulnerability test based on the vulnerability risk score.

Clause 24. A software object development system, comprising: a memory; and at least one processor communicatively coupled to the memory, the at least one processor configured to: generate a pre-release version of a machine image of a software object; transmit, to a vulnerability management system, information associated with the pre-release version of the machine image of the software object; and receive, from the vulnerability management system, a report comprising one or more scan results associated with a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object.

Clause 25. The software object development system of clause 24, wherein the at least one processor is further configured to: determine whether the pre-release version of the machine image of the software object passes or fails a vulnerability test based on the one or more scan results.

Clause 26. The software object development system of clause 25, wherein the at least one processor is further configured to: release the pre-release version of the machine image of the software object if the pass or fail determination determines that the pre-release version of the machine image of the software object passes the vulnerability test.

Clause 27. The software object development system of any of clauses 25 to 26, wherein the pass or fail determination is based on a vulnerability risk score associated with the pre-release version of the machine image of the software object.

Clause 28. The software object development system of clause 27, wherein the report indicates whether the vulnerability risk score is below a threshold, or wherein the report indicates the vulnerability risk score, or wherein the report indicates whether the pre-release version of the machine image of the software object passes or fails the vulnerability test.

Clause 29. The software object development system of any of clauses 24 to 28, wherein the pre-release version of the machine image of the software object corresponds to a build for use in a virtualized environment.

Clause 30. The software object development system of clause 29, wherein the virtualized environment is Infrastructure as a Service (IaaS).

Clause 31. The software object development system of any of clauses 29 to 30, wherein the virtualized environment is Amazon Web Services (AWS).

Clause 32. The software object development system of any of clauses 24 to 31, the pre-release version of the machine image of the software object comprises a set of installed software, configuration information, or a combination thereof.

Clause 33. A non-transitory computer-readable medium storing computer-executable instructions that, when executed by a vulnerability management system, cause the vulnerability management system to: receive, from a software object development system, information associated with a pre-release version of a machine image of a software object; perform a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object; determine one or more scan results based on the vulnerability scan; and transmit, to the software object development system, a report comprising the one or more scan results.

Clause 34. The non-transitory computer-readable medium of clause 33, wherein the pre-release version of the machine image of the software object corresponds to a build for use in a virtualized environment.

Clause 35. The non-transitory computer-readable medium of clause 34, wherein the virtualized environment is Infrastructure as a Service (IaaS).

Clause 36. The non-transitory computer-readable medium of any of clauses 34 to 35, wherein the virtualized environment is Amazon Web Services (AWS).

Clause 37. The non-transitory computer-readable medium of any of clauses 33 to 36, the pre-release version of the machine image of the software object comprises a set of installed software, configuration information, or a combination thereof.

Clause 38. The non-transitory computer-readable medium of any of clauses 33 to 37, wherein the determination comprises: calculation of a vulnerability risk score associated with the vulnerability scan.

Clause 39. The non-transitory computer-readable medium of clause 38, wherein the report indicates whether the vulnerability risk score is below a threshold, or wherein the report indicates the vulnerability risk score, or wherein the report indicates whether the pre-release version of the machine image of the software object passes or fails a vulnerability test based on the vulnerability risk score.

Clause 40. A non-transitory computer-readable medium storing computer-executable instructions that, when executed by a software object development system, cause the software object development system to: generate a pre-release version of a machine image of a software object; transmit, to a vulnerability management system, information associated with the pre-release version of the machine image of the software object; and receive, from the vulnerability management system, a report comprising one or more scan results associated with a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object.

Clause 41. The non-transitory computer-readable medium of clause 40, further comprising computer-executable instructions that, when executed by the software object development system, cause the software object development system to: determine whether the pre-release version of the machine image of the software object passes or fails a vulnerability test based on the one or more scan results.

Clause 42. The non-transitory computer-readable medium of clause 41, further comprising computer-executable instructions that, when executed by the software object development system, cause the software object development system to: release the pre-release version of the machine image of the software object if the pass or fail determination determines that the pre-release version of the machine image of the software object passes the vulnerability test.

Clause 43. The non-transitory computer-readable medium of any of clauses 41 to 42, wherein the pass or fail determination is based on a vulnerability risk score associated with the pre-release version of the machine image of the software object.

Clause 44. The non-transitory computer-readable medium of clause 43, wherein the report indicates whether the vulnerability risk score is below a threshold, or wherein the report indicates the vulnerability risk score, or wherein the report indicates whether the pre-release version of the machine image of the software object passes or fails the vulnerability test.

Clause 45. The non-transitory computer-readable medium of any of clauses 40 to 44, wherein the pre-release version of the machine image of the software object corresponds to a build for use in a virtualized environment.

Clause 46. The non-transitory computer-readable medium of clause 45, wherein the virtualized environment is Infrastructure as a Service (IaaS).

Clause 47. The non-transitory computer-readable medium of any of clauses 45 to 46, wherein the virtualized environment is Amazon Web Services (AWS).

Clause 48. The non-transitory computer-readable medium of any of clauses 40 to 47, the pre-release version of the machine image of the software object comprises a set of installed software, configuration information, or a combination thereof.

Clause 49. An apparatus comprising means for performing a method according to any of clauses 1 to 16.

Those skilled in the art will appreciate that information and signals may be represented using any of a variety of different technologies and techniques. For example, data, instructions, commands, information, signals, bits, symbols, and chips that may be referenced throughout the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or particles, optical fields or particles, or any combination thereof.

Further, those skilled in the art will appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the aspects disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted to depart from the scope of the various aspects and embodiments described herein.

The various illustrative logical blocks, modules, and circuits described in connection with the aspects disclosed herein may be implemented or performed with a general purpose processor, a digital signal processor (DSP), an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices (e.g., a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration).

The methods, sequences, and/or algorithms described in connection with the aspects disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM, flash memory, ROM, EPROM, EEPROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of non-transitory computer-readable medium known in the art. An exemplary non-transitory computer-readable medium may be coupled to the processor such that the processor can read information from, and write information to, the non-transitory computer-readable medium. In the alternative, the non-transitory computer-readable medium may be integral to the processor. The processor and the non-transitory computer-readable medium may reside in an ASIC. The ASIC may reside in an IoT device. In the alternative, the processor and the non-transitory computer-readable medium may be discrete components in a user terminal.

In one or more exemplary aspects, the functions described herein may be implemented in hardware, software, firmware, or any combination thereof. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a non-transitory computer-readable medium. Computer-readable media may include storage media and/or communication media including any non-transitory medium that may facilitate transferring a computer program from one place to another. A storage media may be any available media that can be accessed by a computer. By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. Also, any connection is properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of a medium. The term disk and disc, which may be used interchangeably herein, includes CD, laser disc, optical disc, DVD, floppy disk, and Blu-ray discs, which usually reproduce data magnetically and/or optically with lasers. Combinations of the above should also be included within the scope of computer-readable media.

While the foregoing disclosure shows illustrative aspects and embodiments, those skilled in the art will appreciate that various changes and modifications could be made herein without departing from the scope of the disclosure as defined by the appended claims. Furthermore, in accordance with the various illustrative aspects and embodiments described herein, those skilled in the art will appreciate that the functions, steps, and/or actions in any methods described above and/or recited in any method claims appended hereto need not be performed in any particular order. Further still, to the extent that any elements are described above or recited in the appended claims in a singular form, those skilled in the art will appreciate that singular form(s) contemplate the plural as well unless limitation to the singular form(s) is explicitly stated. 

What is claimed is:
 1. A method of operating a vulnerability management system, comprising: receiving, from a software object development system, information associated with a pre-release version of a machine image of a software object; performing a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object; determining one or more scan results based on the vulnerability scan; and transmitting, to the software object development system, a report comprising the one or more scan results.
 2. The method of claim 1, wherein the pre-release version of the machine image of the software object corresponds to a build for use in a virtualized environment.
 3. The method of claim 2, wherein the virtualized environment is Infrastructure as a Service (IaaS).
 4. The method of claim 2, wherein the virtualized environment is Amazon Web Services (AWS).
 5. The method of claim 1, the pre-release version of the machine image of the software object comprises a set of installed software, configuration information, or a combination thereof.
 6. The method of claim 1, wherein the determining comprises: calculating a vulnerability risk score associated with the vulnerability scan.
 7. The method of claim 6, wherein the report indicates whether the vulnerability risk score is below a threshold, or wherein the report indicates the vulnerability risk score, or wherein the report indicates whether the pre-release version of the machine image of the software object passes or fails a vulnerability test based on the vulnerability risk score.
 8. A method of operating a software object development system, comprising: generating a pre-release version of a machine image of a software object; transmitting, to a vulnerability management system, information associated with the pre-release version of the machine image of the software object; and receiving, from the vulnerability management system, a report comprising one or more scan results associated with a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object.
 9. The method of claim 8, further comprising: determining whether the pre-release version of the machine image of the software object passes or fails a vulnerability test based on the one or more scan results.
 10. The method of claim 9, further comprising: releasing the pre-release version of the machine image of the software object if the pass or fail determination determines that the pre-release version of the machine image of the software object passes the vulnerability test.
 11. The method of claim 9, wherein the pass or fail determination is based on a vulnerability risk score associated with the pre-release version of the machine image of the software object.
 12. The method of claim 11, wherein the report indicates whether the vulnerability risk score is below a threshold, or wherein the report indicates the vulnerability risk score, or wherein the report indicates whether the pre-release version of the machine image of the software object passes or fails the vulnerability test.
 13. The method of claim 8, wherein the pre-release version of the machine image of the software object corresponds to a build for use in a virtualized environment.
 14. The method of claim 13, wherein the virtualized environment is Infrastructure as a Service (IaaS).
 15. The method of claim 13, wherein the virtualized environment is Amazon Web Services (AWS).
 16. The method of claim 8, the pre-release version of the machine image of the software object comprises a set of installed software, configuration information, or a combination thereof.
 17. A vulnerability management system, comprising: a memory; and at least one processor communicatively coupled to the memory, the at least one processor configured to: receive, from a software object development system, information associated with a pre-release version of a machine image of a software object; perform a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object; determine one or more scan results based on the vulnerability scan; and transmit, to the software object development system, a report comprising the one or more scan results.
 18. The vulnerability management system of claim 17, wherein the pre-release version of the machine image of the software object corresponds to a build for use in a virtualized environment.
 19. The vulnerability management system of claim 18, wherein the virtualized environment is Infrastructure as a Service (IaaS).
 20. The vulnerability management system of claim 18, wherein the virtualized environment is Amazon Web Services (AWS).
 21. The vulnerability management system of claim 17, the pre-release version of the machine image of the software object comprises a set of installed software, configuration information, or a combination thereof.
 22. The vulnerability management system of claim 17, wherein the determination comprises calculation a vulnerability risk score associated with the vulnerability scan.
 23. The vulnerability management system of claim 22, wherein the report indicates whether the vulnerability risk score is below a threshold, or wherein the report indicates the vulnerability risk score, or wherein the report indicates whether the pre-release version of the machine image of the software object passes or fails a vulnerability test based on the vulnerability risk score.
 24. A software object development system, comprising: a memory; and at least one processor communicatively coupled to the memory, the at least one processor configured to: generate a pre-release version of a machine image of a software object; transmit, to a vulnerability management system, information associated with the pre-release version of the machine image of the software object; and receive, from the vulnerability management system, a report comprising one or more scan results associated with a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object.
 25. The software object development system of claim 24, wherein the at least one processor is further configured to: determine whether the pre-release version of the machine image of the software object passes or fails a vulnerability test based on the one or more scan results.
 26. The software object development system of claim 25, wherein the at least one processor is further configured to: release the pre-release version of the machine image of the software object if the pass or fail determination determines that the pre-release version of the machine image of the software object passes the vulnerability test.
 27. The software object development system of claim 25, wherein the pass or fail determination is based on a vulnerability risk score associated with the pre-release version of the machine image of the software object.
 28. The software object development system of claim 27, wherein the report indicates whether the vulnerability risk score is below a threshold, or wherein the report indicates the vulnerability risk score, or wherein the report indicates whether the pre-release version of the machine image of the software object passes or fails the vulnerability test.
 29. The software object development system of claim 24, wherein the pre-release version of the machine image of the software object corresponds to a build for use in a virtualized environment.
 30. The software object development system of claim 29, wherein the virtualized environment is Infrastructure as a Service (IaaS).
 31. The software object development system of claim 29, wherein the virtualized environment is Amazon Web Services (AWS).
 32. The software object development system of claim 24, the pre-release version of the machine image of the software object comprises a set of installed software, configuration information, or a combination thereof.
 33. A non-transitory computer-readable medium storing computer-executable instructions that, when executed by a vulnerability management system, cause the vulnerability management system to: receive, from a software object development system, information associated with a pre-release version of a machine image of a software object; perform a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object; determine one or more scan results based on the vulnerability scan; and transmit, to the software object development system, a report comprising the one or more scan results.
 34. A non-transitory computer-readable medium storing computer-executable instructions that, when executed by a software object development system, cause the software object development system to: generate a pre-release version of a machine image of a software object; transmit, to a vulnerability management system, information associated with the pre-release version of the machine image of the software object; and receive, from the vulnerability management system, a report comprising one or more scan results associated with a vulnerability scan for a set of known vulnerabilities on the information associated with the pre-release version of the machine image of the software object. 